New Mirai-Based Botnet Exploits Zero-Day Vulnerabilities in Industrial and Smart Devices
A sophisticated Mirai-based botnet is leveraging zero-day exploits and custom vulnerabilities to compromise industrial routers and smart home devices. First observed in February 2024, this botnet has rapidly evolved, exploiting both n-day and zero-day flaws, including a critical vulnerability, CVE-2024-12856, in Four-Faith industrial routers.
Emerging Exploitation Activity
Researchers from Chainxin X Lab reported that exploitation of CVE-2024-12856 began in late December 2024, shortly after its discovery by VulnCheck. This vulnerability, combined with custom exploits for flaws in Neterbit routers and Vimar smart home devices, has expanded the botnet’s infection capabilities.
Botnet Profile
The botnet, whose name contains offensive language, is built on a Mirai-based framework and maintains an average of 15,000 active daily bot nodes across the following countries:
- China
- United States
- Russia
- Turkey
- Iran
Key Features:
- Attack Objectives: Primarily used for DDoS attacks targeting hundreds of entities daily. Activity peaked in October and November 2024.
- Propagation Mechanism: Combines public and private exploits for over 20 vulnerabilities to infect diverse devices.
- Brute Force Module: Targets devices with weak Telnet passwords.
- Custom Malware Attributes: Implements Mirai-like commands, uses custom UPX packing, and scans for additional vulnerabilities across networks.
Targeted countries
Source: X Lab
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Targeted Devices and Vulnerabilities
The botnet exploits vulnerabilities in a wide range of devices, including:
Device Type | Exploits Used |
---|---|
ASUS routers | N-day exploits |
Huawei routers | CVE-2017-17215 |
Neterbit routers | Custom exploit |
LB-Link routers | CVE-2023-26801 |
Four-Faith routers | CVE-2024-12856 (zero-day) |
PZT cameras | CVE-2024-8956, CVE-2024-8957 |
Kguard DVRs | Remote code execution vulnerabilities |
Lilin DVRs | RCE exploits |
Vimar smart home devices | Likely undisclosed vulnerabilities |
5G/LTE devices | Weak credentials and misconfigurations |
The botnet actively infects DVRs, routers, and smart home devices, further highlighting the vulnerabilities present in internet-exposed systems.
DDoS Attack Characteristics
X Lab’s telemetry revealed that the botnet’s DDoS attacks are:
- Short in Duration: Lasting between 10-30 seconds.
- High in Intensity: Surpassing 100 Gbps of traffic, capable of disrupting even robust infrastructures.
- Global in Reach: Attack targets span China, the US, Germany, the UK, and Singapore, affecting various industries.
Botnet attack volumes
Source: X Lab
Mitigation Recommendations
To defend against this botnet, users should:
- Install Updates: Apply the latest firmware updates to patch known vulnerabilities.
- Replace EOL Devices: Upgrade end-of-life devices to models receiving regular security updates.
- Secure Configurations:
- Change default credentials to strong, unique passwords.
- Disable unnecessary remote access interfaces.
- Network Monitoring: Use intrusion detection systems to identify anomalous behavior.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com